eliribble
/
nixos-systems
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Checkpoint for working container addresses. 

At this point I have a working system that hands out container IPv6
addresses that I can, at least, _ping_ from outside the LAN. I can't yet
get HTTP traffic.
This commit is contained in:
Eli Ribble 2024-08-21 12:18:47 -07:00
parent 574f9f7d83
commit 880fe6a7a1
1 changed files with 35 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
quinn/etc/nixos/configuration.nix
View File

@ -241,7 +241,7 @@
''; '';
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall = { networking.firewall = {
enable = true; enable = false;
allowPing = true; allowPing = true;
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [ allowedUDPPortRanges = [
@ -280,17 +280,20 @@
system.stateVersion = "24.05"; # Did you read the comment? system.stateVersion = "24.05"; # Did you read the comment?
systemd.network.enable = true; systemd.network.enable = true;
systemd.network.netdevs."00-container-vlan" = { systemd.network.netdevs."00-container-ipvlan" = {
netdevConfig = { netdevConfig = {
Name = "podman-container-vlan"; Name = "podipvlan";
Kind = "vlan"; Kind = "ipvlan";
}; };
vlanConfig = { ipvlanConfig = {
Id = 1; Mode = "L2";
}; };
}; };
systemd.network.networks."10-wan" = { systemd.network.networks."10-wan" = {
matchConfig.Name = "enp2s0"; matchConfig.Name = "enp2s0";
dhcpV6Config = {
PrefixDelegationHint = "::/60";
};
networkConfig = { networkConfig = {
# start a DHCP Client for IPv4 Addressing/Routing # start a DHCP Client for IPv4 Addressing/Routing
DHCP = "ipv4"; DHCP = "ipv4";
@ -301,17 +304,38 @@
addressConfig = { addressConfig = {
Address="fd00::2/64"; Address="fd00::2/64";
}; };
} {
addressConfig = {
Address="::/0";
Scope="global";
};
}]; }];
ipv6PrefixDelegationConfig = {
Managed = true;
};
ipv6AcceptRAConfig = {
DHCPv6Client="always";
Token="prefixstable";
};
# make routing on this interface a dependency for network-online.target # make routing on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
}; };
systemd.network.networks."20-container-ipvlan" = {
matchConfig = {
Name = "podipvlan";
Type = "ipvlan";
};
dhcpPrefixDelegationConfig = {
SubnetId=1;
};
dhcpV6Config = {
DUIDType="uuid";
};
networkConfig = {
IPv6DuplicateAddressDetection=1;
LinkLocalAddressing="ipv6";
};
};
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
systemd.services.scan-uploader = { systemd.services.scan-uploader = {
enable = true; enable = true;
@ -331,41 +355,7 @@
]; ];
# Enable podman since we are on NixOS 21.05 # Enable podman since we are on NixOS 21.05
virtualisation.docker.enable = false; virtualisation.docker.enable = false;
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
pihole = {
autoStart = true;
environment = {
TZ = "America/Phoenix";
DNSMASQ_LISTENING = "all";
};
extraOptions = ["--network=bridge"];
image = "docker.io/pihole/pihole:2024.07.0";
ports = [
"53:53/tcp"
"53:53/udp"
"67:67"
"127.0.0.1:10000:80"
];
volumes = [
"/etc/pihole/config:/etc/pihole"
"/etc/pihole/dnsmasq.d:/etc/dnsmasq.d"
];
};
};
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
virtualisation.podman.dockerSocket.enable = true; virtualisation.podman.dockerSocket.enable = true;
virtualisation.podman.defaultNetwork.settings = {
dns_enabled = false;
ipv6_enabled = true;
subnets = [{
gateway = "10.88.0.1";
subnet = "10.88.0.0/16";
}
{
gateway = "fd00::1:8:1";
subnet = "fd00::1:8:0/122";
}];
};
} }